but that's a false suggestion, IIUC, no mention of grsecurity, so, again: IIUC, or to be sure: correct me if I'm wrong in understanding that they don't offer grsecurity-hardened kernel. And if they don't, it's a false suggestion. Period.

may be worth it, but not for all users. Exampli gratia, I liked to be close to the bleeding edge and install the weekly DVDs, and then compile the grsecurity-hardened kernel for it. Doesn't seem possible with Mempo.

But Mempo is not to be counted out. I really wish those guys succeeded! Their ideas are so pure, so right, and so needed today!

I terribly liked what I could achieve with having my grsecurity-hardened kernel on the weekly (was it Sid up until a few months ago?, yes I think so), and then, the beauty was that thanks to Thorsten mirabilos Glaser...

The beauty was that then, thanks mirabilos from MirBSD, it was possible to rid myself of the program architecture that is there in most FOSS Linux and their relatives in FOSS, with the true purpose under the hood of its shine, to make for proprietory programs to work on top of [F]ree [O]pen [S]ource [S]oftware.

And proprietory, for which that architecture is there, and sadly lives undisturbed in most Linuces and their relatives of this day...

And yes I mean dbus based architecture.

And proprietory, in this day and age, means: in the service of the one-ring-to-rule-them-all cravers, dear brothers in *nix.

And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.

Sadly, while what I explained I needed to do in my previous post to this post, and it is this one:

I did manage to do, it cost me huge time which then I did not have available for so many other things.

I have deployed grsecurity completely in my Gentoo, I know now how to filter traffic in such way that pretty much nothing is unobserved if I get under attack (well, there surely are subjects stronger than me, but I'm not, say, such a subject like Iran was years ago, to deserve those subjects' attention, or like the hackers deserve it who hack into their premises)... Along with having managed deploying iptables properly, and other things...

And I can tell you that Gradm really really does it! Gradm, the grsecurity administration, which, as I said in a few places, needs to be deployed on top of the grsecurity-hardened kernel to account for the few holes that otherwise still remain, as they can not be fixed via solely the kernel patching, which grsecurity does.

My desire to transmit the little but good and very recommendable knowledge that I have gained by now, has not left me, such as to make the next tip some day, the harder one to do, on how to deploy Gradm in Debian. The harder one (then this tip you are reading) to do for newbies, and the harder one (then this tip) to write for me (or if someone else takes over).

It really depends. If Devuan takes off and learns to fly, and if they, this is important, and I'll point them over to these words of mine...

And if they offer a no-dbus Devuan, which I am not certain it is among their objectives; but if they do, then you may even not see much of me, because then I may get my little free time that I have, I can then start using that time for Devuan only...

But if they don't offer a non-dbus Devuan, then I can't go for Devuan.

But I'm really not a developer to be able to follow them in the development of Debian, so I withdrew from the discussion.

And if they don't offer a no-dbus Devuan, then I may try and see if modalities still exist here in Debian, to go on where I left, disgusted that not even a simple file of a few kilobytes was allowed in the DVD 1 back when they were all (are they still?) about imposing the freaking systemd on every Debian user, as you can read in this tip of mine:

where find this paragraph:"As you can see the systemd vandals have removed the sysvinit time honored and reliable (although a better one should be invented/deployed) init from the disk 1. Namely it is there in the disk-2. For the 129K sysvinit-core_2.88dsf-58_amd64.deb there was no room to be found in the disk-1... It's shame."I don't know which way I will go next, esp. since I'm much more familiar with Gentoo (which is the best for security, and for defence from surveillance, as it is the home of grsecurity-hardening deployed).

And also the way that I showed I believe in, in my tips in these Debian Forums, and which is above all without dbus/poetterware and with grsecurity/PaX, and which I believe is the way to go in today's surveilled society, for anyone who wants to be free and not controlled by unknown to him/her. on that way De[bv][iu]an does not seem to be persevering on, not steadilyy, no, not so well as Gentoo...

And especially I don't know when I might go the way that I happen to go next in Debian or its fork Devuan.

timbgo:And the beauty was that, thanks to that programmer from the BSD community, I was able to rid my Debian of dbus, pulseaudio and all those poetterware programs, along with harden it with my dearest program in all of FOSS, the grsecurity.

Don't forget Avahi...

Didn't re-read the entire thread, but have you looked at Alpine Linux:

Alpine Linux was designed with security in mind. The kernel is patched with grsecurity/PaX out of the box, and all userland binaries are compiled as Position Independent Executables (PIE) with stack smashing protection. These proactive security features prevent exploitation of entire classes of zero-day and other vulnerabilities.

Here's the full Alpine link address, hope this works in Dillo. Really should take a look if interested in gsecurity and a system that doesn't come default with a whole bunch of unnecessary stuff.http://www.alpinelinux.org/about/

Avahi was developed by Lennart Poettering and Trent Lloyd. Average user doesn't need it, yet it's installed by default in most major Linux distributions. Just check it out via pstree or ps, disable Avahi and reboot, chances are your system won't miss it.

Avahi is a free zero-configuration networking (zeroconf) implementation, including a system for multicast DNS/DNS-SD service discovery. It is licensed under the GNU Lesser General Public License (LGPL).

Avahi is a system which enables programs to publish and discover services and hosts running on a local network. For example, a user can plug their computer into a network and have Avahi automatically advertise the network services running on the machine which could enable access to files and printers.

Regarding the installation of grsecurity, however, I gave lots of explanation and examples in the five pages of this tip, so far.

I believe, the most of the work is done, with this tip. When if ever, will there be a real for-newbies-easy-to-use deployment of grsecurity? Maybe never, since you get their SELinux deployed in no-brains-needed fashion, because the filthy richness (the secret services are always with the moneys in societies left and right, it's the nature of the corrupted power)... [because the filthy richness] is not with us, but with them and it's those, the NSA and friends who made or broke, bullied or bought their way into your boxes, dear *nixers...

because I really like Gentoo and (Debian/Devuan?), and Dillo and Postfix, and a lot of other programs, but I love the best grsecurity, because they, our heroes spender and PaX Team, without them, the computing would have been so much poorer that you can't even imagine.

[So much poorer] of the real richness, the freedom, the freedom, attainable, not easily but pretty hard to attain, but attainable freedom from surveillance, one of the worst and most dangerous evils of our days.

sorry to barge in like this, i've spent time on grsec with Debian before and it was a bit steep at first, then it seemed to work well for me. Now, on a laptop, i cannot get it to work well. I had to recompile the intel ethernet module from intel sources because it seemed buggy, now i have network. But only DNS resolves, i cannot get apt-get update to work or for the policy to adapt to it.

Does anyone have a shorthand guide on working with grsec on Debian ? I still have the machine for which it worked at hand so i can also make a copy but i'd prefer to share experiences.

Embrace what you're not certain off,keep an eye on what you're confident about.

jlambrecht wrote:sorry to barge in like this, i've spent time on grsec with Debian before and it was a bit steep at first, then it seemed to work well for me. Now, on a laptop, i cannot get it to work well. I had to recompile the intel ethernet module from intel sources because it seemed buggy, now i have network. But only DNS resolves, i cannot get apt-get update to work or for the policy to adapt to it.

Does anyone have a shorthand guide on working with grsec on Debian ? I still have the machine for which it worked at hand so i can also make a copy but i'd prefer to share experiences.

It's not that simple.

1) You need to post all the relevant settings, and all the relevant log errors, and then describe as best you can, without missing important details, what is happening and what you suspect could be the cause (that is learning in itself, even if you get no reply)

2) and then someone who has experience with a similar setup and similar particular issues that you may have with your hardware or your setup, or such, than he has to look at it and try to figure out what there could be set wrong or even that there some circumstances (whichever that they may consist of) appear to be twarting or disabilitating and chance of successful grsec installation and deployment, and then such person may even need to test it on a similar system

I've given directions that seemed to me the best bet to get it done.

But, if I recall correctly, you are on Ubuntu, and I don't even have a working Debian at the moment, and Devuan is currently installable the dbus way, without alternative, IIUC (and I do follow Devuan mailing list so I'm probably right here), which I wrote about that I don't want to follow...

In Ubuntu you also have dbus... which in my opinion is just a companion of systemd. And you also have systemd in Ubuntu, IIRC...

To deploy grsecurity in a system with systemd, it's not me (who am not even so advanced, to be honest), but more advanced and experienced users, such as a few Gentooers, for example, have complained that it is a headache to get a working grsecurity on a systemd machine...

I know Ubuntu is a real brand name, and so will Debian continue to be, and lets see if, which I so much hoped for, a systemd-free Debian fork, the Devuan really takes off and applies for the best standards in FOSS, such as allowing freedom from also dbus...

So, I know Ubuntu is a real brand name, and so will Debian remain to be (tarnished with the systemd default), but if I were you, I would seriously research if Miro Rovis, who writes these lines for you, to post his best advice in your case, if I were you, I would seriously research whether Miro is right, or maybe wrong (he's been decidedly proven wrong sometimes), and whether those, as he says, fake FOSS programs are as bad as he claims.

Fake FOSS programs, because they are, in his opinion, done in the service of big money (military, the absolutely most money spending firm in the world, the U.S. firm, is the main customer of the Red Hat who pay Poettering and Sievers, the systemd guys and all of their windozation-of-FOSS-Linux cameraderie)...

Because those guys are payed for by big money, and they have nothing to really do with the real free projects that are not corporate servicemen like the poetter-people, but who are free and open source idealist people like you and me...

I would research those, and, in case the systemd and grsec do appear incompatible... maybe I would see if I could get rid of them in Ubuntu first, so I can install grsec-hardened kernel...

Or maybe choose the Apline Linux, as mardybear suggests... or maybe go with the Debian but the way that Miro (I'm still talking if I were you) wrote in a few places and linked to other tips, such as on how to install Debian the Air-Gapped way, systemd-frree:

If I didn't have issues that drain my power (and a really good Gentoo installation for on-line, cloned from air-gapped offline-only), I would go those ways (as, not anymore talking as if I were you), I'm pretty certain of my findings.

Unfortunately, thanks to the abuses of embedded systems developers, the grsec team have restricted the availability of the stable release and it is no longer free (as in beer):https://grsecurity.net/announce.php